Use the Conformity Knowledge Base AI to help improve your Cloud Posture

WorkSpaces Operational State

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: WS-002

Ensure that all your AWS WorkSpaces instances are healthy (i.e. the instances state is set to "Healthy"). The AWS WorkSpaces service periodically sends status requests to the WorkSpaces instances. An instance is pronounced unhealthy when it fails to respond to these HealthCheck requests.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Operational
excellence

Any AWS WorkSpaces instance that doesn't respond to the service health checks is considered unhealthy and inoperable. Common causes for this issue are: blocking network ports that prevents the instance from responding to the HealthCheck (status) requests, high CPU usage that prevents the instance from responding in a timely manner, preventing a secure channel from being established between the WorkSpaces service and the instance due to configuration changes, etc.


Audit

To determine if there are any unhealthy Amazon WorkSpaces instances available in your AWS account, perform the following:

Using AWS Console

01 Log in to the AWS Management Console.

02 Navigate to WorkSpaces dashboard at https://console.aws.amazon.com/workspaces/.

03 In the left navigation panel click WorkSpaces to access the instances listing page.

04 Choose the WorkSpaces instance that you want to examine then check its operational state available in the Status column:

If the current operational state is set to UNHEALTHY, the selected Amazon WorkSpaces instance is unhealthy (inoperable).

05 Repeat step no. 4 to verify the operational status for other AWS WorkSpaces instances provisioned in the current region.

06 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-workspaces command (OSX/Linux/UNIX) using custom query filters to list the IDs of all WorkSpaces instances available within the selected region:

aws workspaces describe-workspaces
	--region us-east-1
	--output table
	--query 'Workspaces[*].WorkspaceId'

02 The command output should return a table with the requested WorkSpaces IDs:

--------------------
|DescribeWorkspaces|
+------------------+
|   ws-6dyjqchm0   |
|   ws-4e6il5kr1   |
|   ws-3gtyl1g4d   |
+------------------+

03 Run again describe-workspaces command (OSX/Linux/UNIX) using the ID of the WorkSpaces instance that you want to examine as identifier and the necessary query filters to return the operational state for the selected instance:

aws workspaces describe-workspaces
	--region us-east-1
	--query 'Workspaces[*].State'

04 The command output should return the current operational status of the WorkSpaces instance:

[
    "UNHEALTHY"
]

If the describe-workspaces command output returned is "UNHEALTHY", the selected Amazon WorkSpaces instance is not operational.

05 Repeat step no. 3 and 4 to verify the operational status for other AWS WorkSpaces instances available within the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire audit process for other regions.

Remediation / Resolution

Case A: To reboot an unhealthy AWS WorkSpaces instance, perform the following commands:

Note: The reboot command performs a shutdown and a restart of the WorkSpaces instance. The user data, the operating system (OS) and the system settings are not affected.

Using AWS Console

01 Log in to the AWS Management Console.

02 Navigate to WorkSpaces dashboard at https://console.aws.amazon.com/workspaces/.

03 In the navigation panel click WorkSpaces to open the instances listing page.

04 Select the unhealthy WorkSpaces instance that you want to reboot (see Audit section part I to identify the right resource).

05 Click the Actions dropdown button from the dashboard top menu and select Reboot WorkSpaces to initiate the reboot process.

06 Within the Reboot WorkSpaces dialog box, review the required details, then click Reboot WorkSpaces to reboot the selected instance. The instance status should change now to REBOOTING. The process may take up to 5 minutes to complete.

07 Repeat steps no. 4 - 6 to reboot other inoperable AWS WorkSpaces instances provisioned in the current region.

08 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run reboot-workspaces command (OSX/Linux/UNIX) using the ID of the unhealthy WorkSpaces instance that you want to reboot (see Audit section part II to identify the right WorkSpaces resource) to reboot the selected instance:

aws workspaces reboot-workspaces
	--region us-east-1
	--reboot-workspace-requests ws-6dyjqchm0

02 If the request succeeded, the command output should return an empty FailedRequests array, as shown in the output example below:

{
    "FailedRequests": []
}

03 Repeat step no. 1 and 2 to reboot other AWS WorkSpaces instances marked as unhealthy, available in the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

Case B: To rebuild an unhealthy AWS WorkSpaces instance, perform the following commands:

Note: The rebuild command will rebuild the operating system (OS) installed on the selected AWS WorkSpaces instance to its original state. The OS is restored to the most recent image of the bundle that the instance is created from. IMPORTANT: Any applications that have been installed, or system settings that have been made after the WorkSpaces instance was created are lost.

Using AWS Console

01 Log in to the AWS Management Console.

02 Navigate to WorkSpaces dashboard at https://console.aws.amazon.com/workspaces/.

03 In the navigation panel click WorkSpaces to open the instances listing page.

04 Select the inoperable WorkSpaces instance that you want to rebuild (see Audit section part I to identify the right resource).

05 Click the Actions dropdown button from the dashboard top menu and select Rebuild WorkSpaces to initiate the rebuild process.

06 Within the Rebuild WorkSpaces dialog box, review the required details, then click Rebuild WorkSpaces to rebuild the selected instance. The instance status should change now to REBUILDING.

07 Repeat steps no. 4 - 6 to rebuild other inoperable AWS WorkSpaces instances provisioned in the current region.

08 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run rebuild-workspaces command (OSX/Linux/UNIX) using the ID of the unhealthy WorkSpaces instance that you want to fix (see Audit section part II to identify the right WorkSpaces resource) to rebuild the selected instance:

aws workspaces rebuild-workspaces
	--region us-east-1
	--rebuild-workspace-requests ws-6dyjqchm0

02 If successful, the command output should return an empty FailedRequests array, as shown in the output example below:

{
    "FailedRequests": []
}

03 Repeat step no. 1 and 2 to reboot other unhealthy AWS WorkSpaces instances, available in the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date Jan 9, 2018